Business email compromise — impersonation
Opposing counsel, the client, or a vendor isn't who they appear to be. A new mailbox rule is quietly forwarding privileged threads.
Lookalike-domain impersonation of opposing counsel, clients, co-counsel, or vendors, plus malicious mailbox-forwarding rules that quietly exfiltrate threads. Includes the payroll-redirect variant aimed at the administrator.
The first hour
What to do, in order.
- 01
Confirm the sender out-of-band — pick up the phone and call a known number from the file, not from the email.
- 02
In Microsoft 365 / Google Workspace, search every mailbox for forwarding rules and external auto-forwarding. Remove and document.
- 03
Force a password reset and MFA re-enrollment on any mailbox showing rule tampering or anomalous logins.
- 04
Preserve the suspicious messages with full headers; export the audit log for the relevant timeframe.
- 05
Notify any client or counterparty whose thread was visible to the attacker.
Key decisions
The questions you'll be asked.
- Was privileged information exposed?
- Treat any mailbox compromise as exposure of every thread in that mailbox until proven otherwise. Audit logs determine which messages were actually read or downloaded.
- Do we have to notify clients?
- If the compromise touched client confidences, Rules 1.4 / 1.6 / Opinion 483 push toward client notification. Document the analysis either way.
Regulatory & ethical hooks
What the rules say.
- ABA Model Rule 1.6(c) — Safeguarding client information
- ABA Formal Opinion 477R — Securing communication of protected client information
- State data-breach notification laws (third-party PII in threads)
Cited for orientation, not as legal advice. Your firm's ethics counsel and LPL carrier should be consulted on every specific incident.